Hi All,

My IE is popping up random pages even without opening IE.

Here is the ComboFix log


Thanks in advance...



ComboFix 08-12-02.02 - WASIMz 2008-12-03 19:38:08.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.294 [GMT -6:00]
Running from: c:\documents and settings\WASIMz\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users.\documents\settings
c:\documents and settings\All Users.\documents\settings\desktop.ini
c:\documents and settings\All Users.\documents\settings\winsys2f.dll
c:\documents and settings\All Users.\documents\settings\winsys2f.dll~
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\LocalService\Application Data\NetMon
c:\documents and settings\LocalService\Application Data\NetMon\domains.txt
c:\documents and settings\LocalService\Application Data\NetMon\log.txt
c:\documents and settings\WASIMz\Application Data\gadcom
c:\documents and settings\WASIMz\Application Data\gadcom\gadcom.exe
c:\documents and settings\WASIMz\Application Data\install.dat
c:\documents and settings\WASIMz\Local Settings\Temporary Internet Files\fbk.sts
c:\documents and settings\WASIMz\Start Menu\Programs\Startup\Deewoo.lnk
c:\documents and settings\WASIMz\Start Menu\Programs\Startup\DW_Start.lnk
c:\program files\Common Files\{F0B0B~1
c:\program files\Common Files\{F0B0B~1\system.dll.lzma
c:\program files\Common Files\{F0B0B~1\Update.exe.lzma
c:\program files\network monitor
c:\program files\network monitor\netmon.exe
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\temp\tn3
c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\system32\ahowdsdw.dll
c:\windows\system32\atmtd.dll
c:\windows\system32\atmtd.dll._
c:\windows\system32\BacfLRqr.ini
c:\windows\system32\BacfLRqr.ini2
c:\windows\system32\dwwnw64r.exe
c:\windows\system32\gside.exe
c:\windows\system32\iatlypai.dll
c:\windows\system32\mdm.exe
c:\windows\system32\msnav32.ax
c:\windows\system32\opnmMghi.dll
c:\windows\system32\opnnnmkj.dll
c:\windows\system32\prunnet.exe
c:\windows\system32\rqRLfcaB.dll
c:\windows\system32\rqwnw64k.exe
c:\windows\system32\svcp.csv
c:\windows\system32\vmpcrv.dll
c:\windows\system32\vx.tll
c:\windows\system32\wdsdwoha.ini
c:\windows\system32\wincom32.ini
c:\windows\system32\winpfz33.sys
c:\windows\system32\winsub.xml
c:\windows\system32\zxdnt3d.cfg
c:\windows\Tasks\sqaqyspl.job
c:\windows\Tasks\wkuuioun.job
c:\windows\uninstall_nmon.vbs
c:\windows\V2FzaW0gTWFzb29kIE5haHZp\
c:\windows\V2FzaW0gTWFzb29kIE5haHZp\\asappsrv.dll
c:\windows\V2FzaW0gTWFzb29kIE5haHZp\\command.exe
c:\windows\V2FzaW0gTWFzb29kIE5haHZp\\pZIWuqX0nqIWvZ64KHc1uJtD.vbs
c:\windows\V2FzaW0gTWFzb29kIE5haHZp\command.exe
c:\windows\system32\drivers\core.cache.dsk . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://childhe.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_OREANS32
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_oreans32


((((((((((((((((((((((((( Files Created from 2008-11-04 to 2008-12-04 )))))))))))))))))))))))))))))))
.

2008-12-03 19:50 . 2008-12-03 19:50 <DIR> d-------- c:\temp\tn3
2008-12-03 18:20 . 2008-12-03 18:20 548,934 --a------ c:\windows\system32\ncnttsdl.exe
2008-12-03 16:55 . 2008-12-03 16:55 90,915 --a------ c:\windows\system32\vqeicsbtxtdxnjhb.dll-uninst.exe
2008-12-03 16:53 . 2008-12-03 16:53 <DIR> d-------- c:\temp\DIV55
2008-12-03 16:53 . 2008-12-03 16:53 153,362 --a------ c:\windows\system32\g87.exe
2008-12-03 16:53 . 2008-12-03 16:53 86,272 --a------ c:\windows\system32\drivers\mountmgrr.sys
2008-12-03 16:53 . 2008-12-03 19:50 932 --------- c:\windows\system32\drivers\core.cache.dsk
2008-12-03 16:52 . 2008-12-03 16:52 <DIR> d-------- c:\windows\system32\VC
2008-12-03 16:52 . 2008-12-03 16:52 <DIR> d-------- c:\windows\system32\uv9
2008-12-03 16:52 . 2008-12-03 16:52 <DIR> d-------- c:\windows\system32\ki3
2008-12-03 16:52 . 2008-12-03 16:53 <DIR> d-------- c:\windows\system32\bin
2008-12-03 16:52 . 2008-12-03 19:50 <DIR> d-------- C:\Temp
2008-12-03 16:52 . 2008-12-03 16:52 32,768 --a------ c:\windows\system32\awtrOgeF.dll
2008-11-25 08:26 . 2008-11-25 08:27 <DIR> d-------- C:\kontaktz
2008-11-18 19:30 . 2008-11-18 19:30 <DIR> d-------- c:\documents and settings\Guest
2008-11-13 22:21 . 2008-11-13 22:21 <DIR> d-------- c:\program files\Alex Feinman
2008-11-11 09:16 . 2008-11-11 09:25 <DIR> d-------- c:\windows\system32\CatRoot_bak
2008-11-11 09:16 . 2008-11-23 13:01 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-04 01:25 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2008-11-11 15:16 --------- d--h--r c:\documents and settings\WASIMz\Application Data\yahoo!
2008-11-11 14:49 --------- d-----w c:\program files\Yahoo!
2008-11-11 14:48 --------- d-----w c:\documents and settings\All Users\Application Data\Yahoo!
2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
2008-10-07 14:17 --------- d-----w c:\program files\IrfanView
2008-10-07 14:07 --------- d-----w c:\program files\DVD Ripper Suite
2008-09-30 11:13 1,286,152 ----a-w c:\windows\system32\msxml4.dll
2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
2006-08-30 07:40 64,000 --sha-w c:\windows\system32\autorun3.exe
2007-04-06 06:56 39,325 --sha-w c:\windows\system32\kas.exe
2006-08-30 07:40 64,000 --sha-w c:\windows\system32\OfcpfwSvcs.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{074fe05a-34b8-8cd7-a64a-ee136a5862ff}]
2008-07-03 09:49 364544 --a------ c:\windows\system32\vqeicsbtxtdxnjhb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
2008-12-03 16:52 32768 --a------ c:\windows\system32\awtrOgeF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDAD4DA1-61A2-4FD8-9C17-86F7AC245081}]
2008-07-28 04:47 160496 --a------ c:\progra~1\Yahoo!\Companion\Installs\cpn0\YTSingleInstance.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-13 1388544]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-11-01 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-11-01 126976]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2006-02-14 110592]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-02-14 512000]
"OfcpfwSvcs.exe"="c:\windows\system32\OfcpfwSvcs.exe" [2006-08-30 64000]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-12-10 180269]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-01-31 385024]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\awtrOgeF.dll" [2008-12-03 32768]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtrOgeF]
2008-12-03 16:52 32768 c:\windows\system32\awtrOgeF.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=vmpcrv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
--a------ 2007-01-15 11:28 108160 c:\progra~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-19 01:40 267048 c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OfcpfwSvcs.exe]
--ahs---- 2006-08-30 01:40 64000 c:\windows\system32\OfcpfwSvcs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
--a------ 2005-12-12 21:19 217088 c:\progra~1\Nokia\NOKIAP~1\LAUNCH~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 11:43 385024 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-12-14 15:53 75520 c:\program files\Java\jre1.5.0_11\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-12-10 09:31 180269 c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2008-11-05 21:59 4347120 c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DAP\\DAP.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"c:\\Program Files\\Microsoft Visual Studio\\Common\\Tools\\VS-Ent98\\Vanalyzr\\VARPC.EXE"=
"c:\\Program Files\\EA GAMES\\MOHAA\\MOHAA.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 mountmgrr;mountmgrr;c:\windows\system32\drivers\mountmgrr.sys [2008-12-03 86272]
S3 yqfprhqr;yqfprhqr;\??\c:\windows\system32\drivers\yqfprhqr.sys [2004-08-03 14464]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a6240c0-5259-11dd-afcf-001125d36bac}]
\Shell\Auto\command - svchcst.exe
\Shell\AutoRun\command - c:\windows\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL svchcst.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{1aa8b0d5-1c87-4732-b434-f5efe71a927f} - c:\windows\system32\vmpcrv.dll
BHO-{45130C48-E495-4D94-A80F-C64B466DBCE7} - c:\windows\system32\rqRLfcaB.dll
HKCU-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-prunnet - c:\windows\system32\prunnet.exe
HKLM-Run-{0B-BD-D3-33-DW} - c:\windows\system32\rqwnw64k.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\WASIMz\Application Data\Mozilla\Firefox\Profiles\uyrwbk05.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxps://www.google.com/accounts/ServiceLogin?service=mail&passive=true&rm=false&continue=http%3A%2F%2Fmail.google.com%2Fmail%2F%3Fui%3Dhtml%26zy%3Dl&ltmpl=m_blanco&ltmplcache=2
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-12-03 19:50:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\awtrOgeF.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ibmpmsvc.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\windows\system32\WgaTray.exe
c:\program files\IVT Corporation\BlueSoleil\BTNtService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-12-03 19:53:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-12-04 01:53:35

Pre-Run: 1,586,081,792 bytes free
Post-Run: 1,853,427,712 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

232 --- E O F --- 2008-11-12 23:14:40

Please note the message text in blue at the top of the Am I infected? What do I do? forum.

ComboFix logs should not to be posted outside the HijackThis forums and then only when requested by a HJT Team member. It is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert", NOT for private use. Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

Please create a new topic explaining the nature of your problem in the Am I infected? What do I do? forum. Describe pop-ups and system tray or desktop icons that have appeared. Explain what is "going wrong" with your computer. Note any tools you have used and their respective results.

If needed, we will direct you to our HJT Preparation Guide.

Thank you for using BleepingComputer as your malware removal source.

This topic is now closed. If you have any questions, please PM me or another Moderator.
The BC Staff